In preparing the above patch, I did some basic research on Kodi and stumbled on an interesting feature. I think this ticket highlights it nicely. Notice the GET requests like this:
http://htpc.xyz.zyx/image/image%3A%2F%2Fhttp%253a%252f%252fimage.tmdb.org%252ft%252fp%252foriginal%252faAmfIX3TT40zUHGcCKrlOZRKC7u.jpg%2FThis request will cause the Kodi instance at htpc.xyz.zyx to send an HTTP request to a server at image.tmdb.org. The image from image.tmdb.org gets returned all the way back to the original caller. Essentially, basic proxy behavior. What makes this even more interesting is that you can encode the URL so that you jump through multiple Kodi servers. I wrote a PoC here.
Perhaps more interesting is that Kodi won't reject a request for a non-image until after it has downloaded the payload. This allows a user to potentially send arbitrary data to any server of their choice via Kodi. I wrote another PoC for a (bad) chat program here.
I also looked through the codebase at the other special file handlers. One of which is "vfs/ssh://". This handler will try to login into a provided SSH server. We can use this handler to brute force SSH servers using Kodi as a proxy. I wrote yet another PoC here.
You might be asking yourself, "Are these vulnerabilities?" I think not. These appear to be intentional features. Like it or not, features are not vulnerabilities.
